Facebook recently announced that mobile chat functionality would soon require users to install Facebook Messenger. Fueled by the media, many people have been overreacting about the permissions that Messenger requests before taking time to understand what the true privacy implications were.

In a nutshell, Messenger is hardly an outlier relative to the other social media apps on your phone.

Why the uproar, then? In part, people love to pick on Facebook because of their past privacy UI transgressions. They've deserved much of that. But it's a little crazy that there's such an incendiary reaction to the privacy implications of a mobile app that, permissions-wise, isn't that different from the multitude of social apps people happily download without a second thought.

Still skeptical? We (and by "we" I mean Andrew Reiter) made a list of the Android permissions requested by the latest Facebook Messenger app. Then we checked the remaining 49 of the top 50 social apps in the Google Play store to see how many of those requested the same permissions. To nobody's surprise whatsoever, they are all pretty greedy.


If it's not obvious how to read this chart, here's an example: 67% of the other popular social apps also require the READ_CONTACTS permission. 47% of them require the CAMERA permission. And so on. Again, this shouldn't surprise anybody. Mobile apps need these permissions if you want them to function properly. Messenger is a feature-packed app; some of the others may not be. Asking for all those permissions doesn't necessarily mean the access will be abused. We didn't do the meta-analysis to determine how many of those permissions were requested by first-party code vs. third-party ad libraries. Ad libraries are old news at this point, and it kind of doesn't matter who's asking for permission as long as you're granting it. So stop freaking out... at least until there is something to freak out about.

About Chris Eng

Chris Eng, vice president of research, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Comments (1)

Dave Howe | August 14, 2014 5:03 am

Depends on if they block the mobile version of the website. Currently, *exactly* because I can't approve the permissions the apps require, I access socials sites such as Farcebook and LinkFarm via the mobile web browser.

Also currently,I can access messaging from android chrome without needing to allow *ANY* access to mobile resources.

If Farcebook choose to make access from mobiles app-only, then I will stop using it rather than install the app.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.